qs@6.10.5 dependency issues deprecation warning

[MikeMcC399]

Summary

When @cypress/request@3.0.0 is installed with Yarn Classic, then the following deprecation notice is output:

warning @cypress/request > qs@6.10.5: when using stringify with arrayFormat comma, [] is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

The deprecation notice is not displayed if npm or pnpm is used to install @cypress/request@3.0.0. This is because these other package managers prefer non-deprecated versions to deprecated versions and therefore they select the alternative, non-deprecated, qs@6.10.4 version instead of selecting the deprecated qs@6.10.5 version.

Simplest Example to Reproduce

yarn add @cypress/request

Expected behavior

When @cypress/request is installed using Yarn, then no deprecation notice should be displayed.

Possible solution

The warning suggests:

Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

see qs CHANGELOG

Context

• This issue has been reported in warning cypress > @cypress/request > qs@6.10.5: when using stringify with arrayFormat comma, [] is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix. cypress#27644 as a concern.

Your Environment

software	version
@cypress/request	3.0.0
node	v18.16.1
npm	n/a
Yarn	1.22.19
Operating System	Ubuntu 22.04.3 LTS

Logs

$ yarn add @cypress/request
yarn add v1.22.19
info No lockfile found.
[1/4] Resolving packages...
warning @cypress/request > qs@6.10.5: when using stringify with arrayFormat comma, `[]` is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
success Saved 47 new dependencies.
info Direct dependencies
└─ @cypress/request@3.0.0
info All dependencies
├─ @cypress/request@3.0.0
├─ asn1@0.2.6
├─ asynckit@0.4.0
├─ aws-sign2@0.7.0
├─ aws4@1.12.0
├─ bcrypt-pbkdf@1.0.2
├─ call-bind@1.0.2
├─ caseless@0.12.0
├─ combined-stream@1.0.8
├─ core-util-is@1.0.2
├─ dashdash@1.14.1
├─ delayed-stream@1.0.0
├─ ecc-jsbn@0.1.2
├─ extend@3.0.2
├─ extsprintf@1.3.0
├─ forever-agent@0.6.1
├─ form-data@2.3.3
├─ getpass@0.1.7
├─ has-proto@1.0.1
├─ has-symbols@1.0.3
├─ has@1.0.3
├─ http-signature@1.3.6
├─ is-typedarray@1.0.0
├─ isstream@0.1.2
├─ json-schema@0.4.0
├─ json-stringify-safe@5.0.1
├─ jsprim@2.0.2
├─ mime-db@1.52.0
├─ mime-types@2.1.35
├─ object-inspect@1.12.3
├─ performance-now@2.1.0
├─ psl@1.9.0
├─ punycode@2.3.0
├─ qs@6.10.5
├─ querystringify@2.2.0
├─ requires-port@1.0.0
├─ safe-buffer@5.2.1
├─ safer-buffer@2.1.2
├─ side-channel@1.0.4
├─ sshpk@1.17.0
├─ tough-cookie@4.1.3
├─ tunnel-agent@0.6.0
├─ tweetnacl@0.14.5
├─ universalify@0.2.0
├─ url-parse@1.5.10
├─ uuid@8.3.2
└─ verror@1.10.0
Done in 1.60s.

Notes

cypress-io/request is configured with
"qs": "~6.10.3"

request/package.json

Line 43 in 99338c8

"qs": "~6.10.3",

npm view qs@6.10.5 shows the deprecation notice

$ npm view qs@6.10.5

qs@6.10.5 | BSD-3-Clause | deps: 1 | versions: 108
A querystring parser that supports nesting and arrays, with a depth limit
https://github.com/ljharb/qs

DEPRECATED ⚠️  - when using stringify with arrayFormat comma, `[]` is appended on single-item arrays. Upgrade to v6.11.0 or downgrade to v6.10.4 to fix.

This is a deprecation notice, not a vulnerability warning. There are currently no vulnerabilities detected in @cypress/request:

$ yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 52
Done in 0.36s.

[nagash77]

Hi @MikeMcC399 ! Do you know if there are breaking changes in qs going from 6.10.3 -> 6.11.2? I'm also confused why this warning is showing since we are not above 6.10.4 which it suggests to downgrade to in order to avoid the problem.

[MikeMcC399]

Hi Ben @nagash77

Do you know if there are breaking changes in qs going from 6.10.3 -> 6.11.2?

I could not see any sign of breaking changes and the tests still pass. However I can't swear that nothing will break! I'm not familiar with the actual contents of qs. I just wanted to offer this PR in case it is helpful.

I'm also confused why this warning is showing since we are not above 6.10.4 which it suggests to downgrade to in order to avoid the problem.

Since package.json specifies a semver of "qs": "~6.10.3" it will pull the highest version which matches 6.10.x which is the deprecated 6.10.5.

If you are concerned about the risks of moving to 6.11.2, you could peg to 6.10.4 instead. I can submit that as an alternate PR so you can take your choice.

[MikeMcC399]

@nagash77

As I was reviewing this, I noticed that @cypress/request already pulls in the qs@6.11.2 version through browserify:

@cypress/request@0.0.0-development /home/mike/github/cypress-io/request
├─┬ browserify@13.3.0
│ └─┬ url@0.11.1
│   └── qs@6.11.2
├─┬ coveralls@3.1.1
│ └─┬ request@2.88.2
│   └── qs@6.5.3
├─┬ karma@3.1.4
│ └─┬ body-parser@1.20.2
│   └── qs@6.11.0
└── qs@6.10.4

Edit: Except that may not be relevant if they are only devDependencies!

Maybe you can get a second opinion about the pros and cons of updating to 6.11.2?

Also it seems that npm doesn't try to install the deprecated version, whereas Yarn does, and then complains about it!

yarn why v1.22.19
[1/4] Why do we have the module "qs"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "qs@6.10.5"
info Has been hoisted to "qs"
info This module exists because it's specified in "dependencies".
info Disk size without dependencies: "284KB"
info Disk size with unique dependencies: "336KB"
info Disk size with transitive dependencies: "872KB"
info Number of shared dependencies: 7
=> Found "body-parser#qs@6.11.0"
info This module exists because "karma#body-parser" depends on it.
info Disk size without dependencies: "284KB"
info Disk size with unique dependencies: "336KB"
info Disk size with transitive dependencies: "872KB"
info Number of shared dependencies: 7
=> Found "url#qs@6.11.2"
info This module exists because "browserify#url" depends on it.
info Disk size without dependencies: "300KB"
info Disk size with unique dependencies: "352KB"
info Disk size with transitive dependencies: "888KB"
info Number of shared dependencies: 7
=> Found "request#qs@6.5.3"
info This module exists because "phantomjs-prebuilt#request" depends on it.
info Disk size without dependencies: "196KB"
info Disk size with unique dependencies: "196KB"
info Disk size with transitive dependencies: "196KB"
info Number of shared dependencies: 0
Done in 1.41s.

[MikeMcC399]

@nagash77

• I'm now suggesting to pin to qs@6.10.4 through PR fix(deps): lock qs to 6.10.4 #44 to supersede the previous PR fix(deps): update qs to 6.11.2 #43

• This is a very minimal change which fixes the issue for Yarn. npm and pnpm don't need a fix and the PR does not affect the version chosen by these other two package managers. I consider it low risk.

[cypress-app-bot]

🎉 This issue has been resolved in version 3.0.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀